A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.
According to M86 researcher Rodel Mendrez, the locally stored file opens a web form that collects the customers …

And ignorant people as yourself? Do You hate them too?

I don´t trust they will not cut my brakes. I HOPE they will not do it. I BELIEVE they will not do it - basically because they would be caught after the third death in a row.

By the same logic, I BELIEVE my burger is crap-free when I buy it from a reputable place. Because You can´t keep a business wich sells bad food every now and then. Because, You see, your customers (ex-customers, should I say?) would be not very happy.

And I DO check a ladder before buying it. Don´t You?

And make up your mind. Do I know this email is from Bank DDD or not? Because, You see, this only works if the email isn´t - and You think it is.

So, Yes. They are stupid. Either because they know how to tell one email from the other - and failed - or because they don´t know that they don´t know how to tell one email from the other, and choose to click the same way.

One is not stupid because of his/her ignorance. One is stupid when he/she doesn´t know that he/she doesn´t know.

People are stupid

I see it every day.

In the case of phishing emails there is one simple rule that will protect you - DO NOT USE A LINK IN AN EMAIL TO LOG IN TO ANYTHING THAT COULD COST YOU MONEY. Always open your browser and visit the site using a bookmark or a Google/Bing search. ALWAYS.

Anyone with half a brain should realise that often emails from banks are not legit by the number they recieve from banks that they are not customers of. But, most are too busy thinking about football, celebrities or the state of their fake tan to pay attention.

Umm....

"visit the site using a bookmark or a Google/Bing search."

With blackhat SEO (search-engine optimization for those not-in-the-know), it's very easy to get a site near the top (if not THE top) of Google or Bing that even appears to be the site you are looking for. Even the "URL" displayed below (shown in green on Google) does not display the actual URL of the site. I've stumbled upon these myself.

The best way to visit Bank of America or the like? Type: "www.bankofamerica.com" into your address bar. If you've got a decent browser, it will DNS resolve and take you straight to their website. If you don't, it might land you on a Google page with BoA as the first link, hopefully. (those that just typed "bank of america")

You could say...

this is not new

Don't use html messages

"few PHP URLs get reported as abusive by most end users because of the technical expertise that's required. With not visible HTML accompanying them, there's little for the average user to go on."

Phishing scams start with email messages that tempt you to open web pages, whether local, on some compromised computer or on the scammer's server. The number one rule should be never to read html messages, even if that means not using webmail services. Use a decent email client like Messenger Pro that allows you to work in plain text, and strips out the markup in html-only messages. You can also view the raw message if you want to. If you can see what the link URLs actually are then it is usually obvious when they are malign (but watch out for small spelling alterations in domain names). I have recently received several phishing messages that post forms to .ru addresses although they purport to come from UK banks.

spam filter?

these things are immediately filtered out by most spam filters, so unless you go out of your way to open the email (already identified as spam) you will have a job falling foul of these attacks. That said, there are some incredibly naive people out there who have no idea that this sort of thing happens. Poor loves

phishing attacks defeat Firefox and Chrome

> A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.

Do these phishing attacks work on the Mac or Linux, or with scripting disabled in your email application and can I have a link to a working demo ?